For both the suggested ways (3-clicks or manual), there are some concerns from my side about the principal setup, which I think they could be improved:

The principal which is created during the process gets the “Contributor” role granted on the whole Azure subscription, and using the manual powershell script, the default role is even “Owner” (this can be modified).

The name of the Active Directory Application/Principal is some random guid which is difficult to be identified, see this picture: